Securing the supply chain at scale: Starting with 71 important open source projects
github.blog
Learn how the GitHub Secure Open Source Fund helped 71 open source projects significantly improve their security posture.

cross-posted from: https://lemmy.dbzer0.com/post/51040952

I’m moving away from using products by big tech and I recently started using EnteAuth for 2FA. Today I got an email from them saying that they received money as part of GitHub’s secure open source fund. Maybe I’m just being paranoid but I do not like this at all. Microsoft is not altruistic I don’t care what anyone says. There has to be an ulterior motive for this. With even the recent news that github won’t be so independent anymore and they’re getting folded into the Microsoft umbrella this has me worried. But let’s be real github was never independent just look at copilot being forced down everyone’s throat. That’s why I personally stopped using it.

According to the fund

Throughout this program, each project receives $10,000 USD via GitHub Sponsors (which breaks down to $6,000 USD during the sprint and $2,000 USD at 6- and 12-month security check-ins). Projects are also invited to a new security focused community, and office hours with the GitHub Security Lab, that they can take advantage of during the full 12 months. They also receive security resources to immediately implement in their project and Azure credits for cloud infrastructure.

Those sponsors include

Alfred P. Sloan Foundation, American Express, Chainguard, Datadog, Herodevs, Kraken, Mayfield, Microsoft, Shopify, Stripe, Superbloom, Vercel, Zerodha, 1Password

Projects that are part of this even include nodejs, nvm, log4j, JUnit, and Matplotlib. Taking cybersecurity seriously is great but this just seems like a way to sucker them into their ecosystem to get them dependent on their products. Like I said maybe I’m being paranoid but I wouldn’t be surprise when Microsoft suddenly buys these projects and we lose what made them so great.

  • orclev@lemmy.worldEnglish
    6·
    19 hours ago

    In terms of the open source community Microsoft has been significantly less sketchy than usual for about a decade now. For those of us that are old enough to remember the halloween files it’s hard to let go of that paranoia, particularly with the sketchy shit MS has been doing with their proprietary stuff lately, but near as I can tell they’ve been above board on their open source stuff.

    I wouldn’t go so far as to say blindly trust them at this point, but I wouldn’t just assume with no evidence at all that there has to be something nefarious going on either.

    • kennedy@lemmy.dbzer0.comOPEnglish
      2·
      19 hours ago

      I’ve never heard of the Halloween files I just looked it up and that’s just so crazy. I don’t know what’s going on behind closed doors in their c-suite but I wouldn’t be surprised if this fund is a way to get their hands into open source projects. Like you said there’s no explicit proof so it’s best to be cautious.